Secrets Injector Webhook Overwrites PodTemplate Annotations

[rusty-jules]

Your environment

Secret Injector Version: 1.0.2

1Password CLI Version: 2

Connect Server Version: 1.7.2 (not sure this is relevant, this occurred using OP_SERVICE_ACCOUNT_TOKEN as well)

Kubernetes Version: 1.27

What happened?

Once secrets are injected in a pod, the only annotation on the pod is the operator.1password.io/status=injected. All other annotations from spec.template.metadata.annotations are overwritten.

What did you expect to happen?

The annotations from the podTemplate of the deployment, or on a single pod manifest, should be preserved.

Steps to reproduce

1. Create a deployment with annotations in the podTemplate including annotations to inject

kubectl create -f deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mydeployment
  namespace: default
spec:
  selector:
    matchLabels:
      app: mydeployment
  template:
    metadata:
      labels:
        app: mydeployment
      annotations:
        operator.1password.io/inject: mycontainer
        operator.1password.io/version: 2-beta
        myannotation: mine
    spec:
      containers:
        - name: mycontainer
          image: alpine
          command:
          - sleep
          - infinity

2. See that myannotation is missing from the pod

kubectl get pods -l app=mydeployment -o=jsonpath='{.items[*].metadata.annotations}'
{"operator.1password.io/status":"injected"}

Notes & Logs

The op-secrets-injector should do a merge with the existing annotations. If the inject and version annotations are undesirable, those should be selectively removed from the pod. Current behavior makes it impossible to use any custom annotations for purposes such as the downward API.

[rusty-jules]

Bumping this, it's still a big issue for us

[nishafnaeem]

I am also facing this issue. Any update on the fix?